Did you know that your IP address can be exposed when MetaMask and NFTs come together?
MetaMask is the most powerful and most preferred crypto wallet with 21 million users*¹! No matter which DeFi project you are dealing with, you can definitely see the option to connect with MetaMask. At the same time, it happens to have become an essential tool used without exception in software development and testing stages.
With great power comes great responsibility. In addition to the fact that MetaMask is such a mighty wallet, the following question arises: Is it also vital in terms of security and privacy? Before seeking an answer to this question, I will tell you a story from the Witcher series, which I am a fan of.
Not yet aware of her powers, Yennefer involuntarily opens a portal when she is attacked and comes to the sorcerer Istredd*³ in Aretuza*², the school of wizards.
The student sorcerer Istredd is surprised to see Yennefer, who has appeared out of nowhere, and when he realizes that she has opened a portal, he says, referring to Tissaia de Vries*², the trainer of the sorcerers:
“You need to get out of here quickly. Your powers have been revealed. She will come after you now.”
Indeed, it happens so, Tissaia de Vries quickly finds Yennefer who has returned to her village and take her from her family.
Like in this story, unfortunately, a similar scenario takes the stage in the MetaMask. Your IP address is exposed when someone sends an NFT to your MetaMask wallet, just like Yennefer’s powers were unleashed. Think about it; maybe a malicious Hacker like Tissaia de Vries can access your IP address and go after your assets.
Let’s go through the details together.
In the article published by Alex Lupascu on January 20, 2022, it turns out that it is straightforward for an attacker to find out the IP address of anyone (with a cost of only $50 and a simple NFT)! As soon as I saw the article, I tested it and confirmed the attack method on the Ethereum testnet (Rinkeby) and mainnet.*⁴
Before we get into the details of what the method is and how it works, there are a few technical issues to be aware of. If you have no knowledge of the following topics, I suggest you read them first:
Before we move on to the steps, let’s analyze how an attack works within the theory. For testing and verification, I followed Alex Lupascu’s steps precisely.*⁵
Since it would be very costly to store an image itself on the blockchain, high storage need elements are usually served by being stored either in IPFS*⁶ or on a familiar web server. In this way, while NFT’s metadata is kept on the blockchain very affordable way, it can be served the images from a server connected to it.
If an attacker creates an NFT and hosts the image of the NFT on his server, he can monitor all requests to that server. After the NFT is created, the URI address of the NFT image can be changed with a link served from this server. Then, when the victim tries to view the NFT from the MetaMask mobile wallet, the attacker’s server will try to serve this image.
When you try to request the image from the server, your IP address goes to that server. This is right where the attacker captures your IP address.
Now that we understand the logic of the attack theoretically let’s look at how it is done step by step.
Step 1: First, we create a server on digitalocean.
Step2: Then we create an NFT on OpenSea testnet.
Choose the Rinkeby testnet as the blockchain.
Step 3: Now, it’s time to move on to the more technical part of the task. Let’s deploy the same Solidity code used by the author of the original article on Remix IDE.
While deploying the code to the Rinkeby testnet, we need to use the address of our NFT. All you need to do is click “Contract Address” in NFT’s Details section on opensea.
In Remix IDE, I paste the contract address that I just copied into the “At Address” field and pressed the “At Address” button.
Of course, to do that, we need to send Tx with the wallet we have created NFT in.
We can see our contract deployed on Remix IDE:
Step 4: Using the “uri” function at the bottom, we can learn the URI address of the relevant NFT. At this stage, I went to OpenSea again, copied the “Token ID” and pasted it here, and pressed the “uri” button. And here is our link.
Now it’s time to complete the settings of our server;
In order to monitor incoming requests, we listen to port 80 using the following command with Netcat.
Then, we create an interactive link for ourselves using ngrok.
Step 5: Now, if we replace the link we have created with the link in the URI address of the NFT, we can see the IP address of the person who requested this address.
In the contract we have deployed from Remix IDE, we change our link using the “setURI” function.
Finally, when we check again, we see that our link has changed.
Step 6: Now, all we have to do is send the NFT via OpenSea to our victim’s wallet address and then wait for our victim to view this NFT with MetaMask Mobile.
Step 7: At this stage, I view the NFT from the MetaMask mobile app as if I were the victim:
We got the IP address directly with the display of the NFT!
Conclusion
Although it seems like an impressive attack style, some things can be left to chance here. For example, the victim may not be using the MetaMask mobile application or may never view their NFT through the mobile application. I am not a fan of offensive styles directed by the victim’s behavior. However, when it comes to security (offensive or defensive), we can’t leave it to chance!
So, what are the effects of capturing someone’s IP address?
If your IP address is exposed;
Let’s say you have a wallet with very valuable NFTs or cryptocurrencies, and you control it with the MetaMask mobile wallet. Unfortunately, malicious persons may try to capture a lot of data via your IP address, detect your identity, and kidnap, threaten, or harm you.
Apart from this, people or journalists who defend Internet Freedom can be targeted by governments, and their locations can be spotted by this method.
Let’s consider that I’ve created 21 million NFTs. I also have wallet addresses of 21 million MetaMask users. I define a website that I want to carry out a DDoS*⁷ attack as a URI to these NFTs. Then I airdrop all the NFTs to each of the MetaMask users. In theory, if many users try to view these NFTs simultaneously, an incredible number of requests will be sent to the target website, and servers that cannot process these requests will be temporarily out of service. However, users must view the NFT simultaneously for this attack to occur. (IMO it is a long shot)
In the article where the vulnerability issue was published, it was stated that MetaMask has started working to fix this vulnerability. Below is the relevant tweet sent by the founder of MetaMask.
There is not much that users can do about this vulnerability right now. However, it’s still worth going over a few safety tips:
- Do not share the seed phrase of your crypto wallets with anyone.
- Do not keep valuable NFTs or cryptocurrencies in your hot wallets or centralized structures.
- Do not use or view NFTs or cryptocurrencies sent to you without your consent.
- Keep in mind that your online presence can always be associated with you.
- Security is not just about a few precautions; it is a lifestyle. Make security your lifestyle.
Last but not least;
A note from SWB; being precautious is always better, not to be sad later.
Sources and Explanations
*¹: MetaMask Surpasses 21 Million MAUs as ConsenSys Raises $200 Million to Make Web3 Universally Easy to Use, Access, and Build On
*²: Aretuza and Tissaia de Vries
*³: Istredd
*⁴: Since the images used to verify the vulnerability were not suitable for the article, the screenshots used in the blog post were recreated later.
*⁵: Some steps were shortened because they were unnecessary for the verification phase.
*⁶:The InterPlanetary File System is a protocol and peer-to-peer network for storing and sharing data in a distributed file system.
*⁷: Denial-of-service attack
Main Source: Critical privacy vulnerability — getting exposed by MetaMask
This article was originally published in the Turkish language on 28 January 2022.
